Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 2nd week of June 2017

New Detection Technique - HIDDEN COBRA

US-CERT has released a Technical Alert (TA) about the malicious cyber activity by North Korean actors known as HIDDEN COBRA. The Technical Alert (TA) provides technical details on the tools and infrastructure used by cyber actors to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman.

We've added IDS signatures and the following correlation rule to detect this activity:

Trend Micro Control Manager 6.0 has a vulnerability which allows an attacker to bypass the authentication process by adding and setting a specific value to a cookie. This flaw can further be exploited to read xml files.

We've added IDS signatures and the following correlation rule to detect this activity:

Industroyer malware contains a Denial-of-Service (DoS) component that can be used against Siemens SIPROTEC devices. This tool leverages the CVE-2015-5374 vulnerability by sending specifically-crafted UDP packets to port 50,000 of the target IP addresses.

We've added IDS signatures and the following correlation rule to detect this activity:

TerraMaster F2-420 NAS has an unauthenticated Remote Code Execution vulnerability. Authentication can be bypassed by setting kod_name cookie to any value, and allows you to upload any file to any location on the file system while the web server is running as root.

We've added IDS signatures and the following correlation rule to detect this activity:

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rule to detect new ransomware families:

System Compromise, Ransomware infection, Ishtar

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

System Compromise, Ransomware infection, Cerber

System Compromise, Ransomware infection, Filecoder

System Compromise, Ransomware infection, Jaff

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

System Compromise, Trojan infection, Win32/OmgTick

Updated Detection Technique - MacSpy

MacSpy is a remote access trojan for the OSX platform currently being sold in underground forums. It acts as a spyware on the infected system, capturing screenshots, keystrokes, and clipboard data, and sending it to a C&C server. The C&C server can send commands to the RAT to perform additional malicious activity.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Malware RAT, MacSpy

Updated Detection Technique - Samba RCE Attempt (CVE-2017-7494)

A vulnerability in Samba software was disclosed. The vulnerability allows a user to upload a shared library to a writeable share on a vulnerable Samba server, and then cause the server to execute the uploaded file. This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. This vulnerability currently affects all versions of Samba 3.5.0 and later.

We've added IDS signatures and updated the following correlation rule to detect this activity:

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

System Compromise, C&C Communication, Known malicious SSL certificate

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity: